tv Admiral Michael Rogers Discusses Cybersecurity CSPAN November 26, 2016 3:25am-3:50am EST
this is a very serious problem. there are communities in parts of the u.s. where new businesses cannot start because not enough people can pass a drug screening. dr. desmond-hellmann: the prescribing habits are a very big part of that. my husband had a shoulder replaced, he walked out with a prescription of 90 onto gotten -- oxycontin. dr. frieden: this is a huge problem. when i went to medical school, they taught us you can get a patient with rain in opiate and they will not get addicted. completely wrong. laura: lying through the mouth. dr. desmond-hellmann: there has to be a complete rebooting of pain prescribing and it has to be done with a sense of urgency that is not consistent with typical continuing medical education. background,ogist by so there are times when you need pain medicine. however, what we have got in the
united states today is inconsistent with those times. >> can i ask another drug-related question? a number of states have legalized marijuana. is the science good enough on that? what is your feeling on the safety of increased marijuana use as a result of legalization? dr. desmond-hellmann: two comments -- one, it is severely understudied and needs more research. i'm a data-driven person. we need more data. there are data on young people and marijuana. that is from a public health standpoint. that is my number one concern. >> how was it possible after decades of the grateful dead -- [laughter] dr. desmond-hellmann: there is a concert and then there are studies. laura: their brains are gone by the time they are 15. dr. frieden: there are harms that are known but not widely known. it is something we don't know because it has not been legal to
study. we need to know much more, but there are known arms for young people in other contexts. there is a big difference between legalization and decriminalization. >> would the two of you as medical specialists be advising a state to legalize or decriminalize marijuana use? dr. desmond-hellmann: as a physician, i would say decriminalizing, sign me up. legalizing, i want more data. dr. frieden: i agree with sue. >> other questions? yes. >> thank you. global are looking at health risks from a business standpoint, it has never ceased to surprise me over the last half decade that we have not been very prophylactic, we have been reactive whether it has been ebola, zika.
for instance, i have not seen enough studies on the consequences of climate change as one of the root causes for certain mutations. it seems to be that you are interested. on the prophylactic aspect of it, so we are not constantly fighting, trying to climb up a hill. dr. frieden: i will let sue comment on the climate issue. because of prevention, because we don't know where the next threat will come from, what is most important is to establish systems that can find it when it emerges and figure out how to prevent it. that is what global health security is all about. that is why we have established laboratory efforts so they can figure out what is going on when and where it first emerges. they can do the work there. what we need is essentially what
we would call a health care quotient. capacity that is used every day because we know if you want to break the glass in an emergency and use a new system, it will not work well. if you do every day to deal with food poisoning or an outbreak, then you can scale it up if there is an emergency. that is what we have to do to strengthen those systems. dr. desmond-hellmann: there is no doubt that deforestation changes, changes in water availability and climate, have driven changes in animal patterns of infection. they have changed patterns of productivity on farms. one of the great concerns we have is smallholder farmer productivity, especially in sub-saharan africa, but globally as a result of climate change. it is part of our investment at the gates foundation, enabling those farmers.
we are also very interested in pandemic preparedness. how does that change animal health and what are the implications for human health. >> one more 32nd question for the both of you from one of the ceos. what country has the model health care system in your impression and what makes it so? dr. desmond-hellmann: go ahead. dr. frieden: sue knows more. without naming a country, there are scandinavian countries that have sensible models where, quite frankly, the goal is to optimize health. if you look at our health care system, it is not a prominent goal to optimize health. there are lots of other goals. if you look at low income countries, i would point to ethiopia which has had the most success and most impressive system i have seen, where they have young women, well-trained, well supervised, will supply all
of the country providing care for the most important problems. if you look at a low income model, that is the most impressive i have seen. some of the scandinavian models are able to keep costs down and helping people live longer, more productive lives at lower cost. dr. desmond-hellmann: i'm really excited to see the government of yu-gi-oh be a is doing with -- is doing with the citizens. using vaccination, nutrition, well baby care -- classic things that they had a profound impact. with relatively low education, because human resources are a big issue, they have a plan to transform the health and their entire country in a very poor area. people talk about rwanda. a small country so the scale of madeethiopia has done and progress on is really exciting to see.
>> thank you so much. [applause] >> admiral michael rogers heads u.s. cyber command and the national security agency. in this interview at the wall street journal ceo council, he talks about national security and computer threats facing the public and private sectors. [applause] >> good morning, everyone. thank you for joining us, admiral. i have to clarify -- you're admiral rogers, director of the nsa. you are from chicago. >> i am not a congressman from michigan. >> we can make our own headlines here. how worried should be ceo's out here be about the state of cyber security? >> clearly do we have a challenge here that requires attention? yes.
is there a role for ceo's to play in this? yes. who when i talk to the sea-suite, one of the things i will normally ask when talking to ceo's talk to me about the conversation you are having with your cio and cfo. tell me about how your setting expectations. is a guy who defends networks, you don't want your network security being decided unilaterally what is important to you as an organization. you as a leader need to set that tone. if you've got to prioritize, this is what i want you to focus on. this is what i think we need to or should be willing to take some level of risk.
when i ask cio's with a think is important, i get totally different answers. and you need to shape that discussion. you have many other challenges for your time. i don't pretend that this needs to dominate your life. but there is a significant role for you to play. >> what can go wrong? you remember the sony hack, you got a call one thanksgiving. admiral rogers: i was with my family. >> what can we learn from what happened at sony? admiral rogers: i thought the positives were great collaboration between a private company, the computer network
expertise they brought on, they knew they were dealing with something and so they hired expertise and capability from within the private sector. they then came to the conclusion that this was something bigger than they had initially potentially thought, and they felt they needed to reach out to the government. i give them big kudos for that. they could have said to themselves, we need to minimize this. let's not really confront this publicly. i thought it was a real positive. they were very up front when they approach the government. we would like your assistance in trying to make sure we truly understand what happened. also, we would like your views on how do we make sure that doesn't happen again. they were very open. one of my concerns was i'm a
government guy and i and others, i'm part of the government team, and we are going if you want us to provide value and insight, the only way this will work is if we get full access to your network and data. it's the only way we can really generate the level of insight i think you expect from us. i realize that may make you uncomfortable. your opening your structure, your networks, your data to the government. you have to be comfortable with that. they came back to us and said, we are comfortable with that. we ask that you inform us of what you're doing, why you are doing it, and exactly what you are doing, and you stick to that. as long as we do that, we have no issue. i thought the dialogue between -- sony is a company, the private entity they hired, and
the u.n. government response team, largely ourselves, fbi, and dhs. great information flow. >> but there were some things that went wrong. it took them a lot of time to detect this, right? admiral rogers: what we usually find -- it doesn't matter if it's a commercial network, if it's government network. networks i've been accountable for defending, we find there is a significant time lag for most organizations between discovery of activity and the time the adversary initially penetrated the network. that is normally some period of time between 3 to 6 months. that was certainly the case in the sony scenario. >> how concerned should we be about state actors? north korea was reportedly one
in the sony incident. admiral rogers: the fact that the set of actors is so large and so diverse is one of the problems. probably depending on what source you want to use, from a cyber defensive standpoint, probably 60% to 65% of the activity of concern we see is criminal, individuals looking to access systems for access to personally identify information, social security numbers, credit card information. they sell it, and use it to generate revenue. criminal activity includes theft of intellectual property. at the same time, you have nationstates are you find are engaged in actions designed to penetrate the networks within the commercial sector. you also find individuals
sometimes and groups who are brought together under a specific ideology or focus that brings this disparate group of disconnect. it will harness the power of the world wide web to bring together people with little previous common interaction knowledge of awareness in each other. it will bring this wide group of geographically dispersed individuals who will coalesce around a particular issue. they will harness the interest with a specific outcome. there's a wide range of actors out there.
want to ask the ceo's out there a polling question and i will also ask the admiral as well. do you trust the government enough to work with your information to work with it during a cyber attack, a, absolutely, b, only if my company is attacked, and c, never. a public-private partnership that has not gotten off the ground may be the way it should. admiral rogers: clearly we will have to wait and see what the future holds. on the other hand, my concern is i don't want it to get to the point where it takes some significant calamity to drive this to the conclusion that we've got to do something different than what we are doing now, but the ultimate solution is how you can bring this
public-private partnership. want to ask the ceo's out there as a director of nsa and cyber command, the agreement i reach with who ever we are working with, i will not use the data we gained for anything other than the exact purpose i communicate to you. it just doesn't work that way. i certainly understand the concern. that fits into a broader historic narrative. as a nation we have to differentiate between what is the role of the government and what is the role of the private sector. that has stood us in pretty good stead. my comments would be, cyber does not recognize these arbitrary lines we have drawn. we love to organize around geography in the army. network structures and the world wide web, they are not organized that way.
we often use these kinds of traditional boundaries as vehicles to help us organize a deal with problems. i don't think they are necessarily optimized for the world we are living in now. it's unrealistic to expect the private sector to withstand the little onslaught of activity being directed against them. likewise, i don't think it's realistic to say, the government will just do this. the challenge with the government doing it, if you want to defend something, i can't do it from the outside. it's like fighting with one hand tied behind your back. it doesn't generally lead to positive outcomes. >> the poll numbers show, 56% absolutely, 34% only if my company is attacked. admiral rogers: less than 10% of
you said there are no circumstances under which i would consider doing that. that means there a willingness among 99% of you to have some form of dialogue, and potentially look at that as a possibility. >> i want to talk about tech. you talked about encryption. you are a proponent of encryption. we had this san bernardino phone. how can you be pro-encryption and favorite intelligence getting more of what it needs? admiral rogers: my experience leads me to believe it's very simplistic to paint it as either/or. i'm the first to acknowledge that i don't know what the right
answer is right now. at its heart, we are a nation about can-do. every time i'm out in silicon valley and him talking to leaders out there, i will say, your model is all about the power of possibility and yet we are spending a lot of time talking about what we cannot do. we need to differentiate between what can we not do versus what should we not do. those are two different conversations to me. i think the tech sector plays a huge role in that. we want to have a broad dialogue and generate a broad consensus here. a government arbitrarily deciding, this is the right answer. from a corporate perspective,
it's your role -- i don't think it's your role to tell us what the right answer is. the sweet spot is, can we come together and answer the right question. what could we do? that's largely a technical issue. so, given that, what should we do? you gave me a set of possibilities. which of those should we have to do? that gets into policy, the legal framework, ethics, what are we comfortable with. those are -- that's an important conversation for us, and a conversation i would argue you want to have at a much broader framework than, let's get 10 tech people together and let them figure this out. >> given the scale of isis and
terrorism, is the tech community doing enough? admiral rogers: clearly we are not where we want to be or need to be. if you look at the level of activity out there, if you look at how the dynamics are changing here, i don't think where we want to be. some would argue, i understand that intellectually. you are asking me to do something that is really not my function. i think you are part of the solution. i don't pretend for a moment that it is only your issue or only your challenge. i think we just need to expand the number of parties involved in this conversation about what can we do and what should we do.
>> wikileaks, you told npr in august that these e-mails were late for a reason and to achieve an effect. what can you tell us about wikileaks from what you know? admiral rogers: because there is an ongoing investigation, i'm not going to get into the specifics. i'm very comfortable with that. there shouldn't be any doubt in anybody's mind, this is not something that was done casually. this is not something that was done by chance. this was not a target selected purely arbitrarily. this is a conscious effort by a nationstate to attempt to achieve a specific effect and we are very public in a government as saying that. you have also been public as a government in saying, this is not acceptable. >> we will go to questions now.
this first question from one of the ceo's. how proactive are we being against the persistent hacking coming from russia and china? and i suspect by the word proactive, it doesn't just mean defense. admiral rogers: every case is different. but i remind people, when you step back and think about how we going to change the dynamic we are dealing with out here, there's got to be multiple aspects to that. you see us addressing -- we are trying to make life harder for hackers, we are trying to increase the level of knowledge, increase capabilities. we are trying to deal directly with a host of nationstates around the world and engaging with them in terms of what's acceptable from our perspective, what is not. we are using the legal tool. we have used indictments against
prc and iranian individuals. we are prepared to use multiple tools and capabilities within our toolkit, if you will, to design, to drive you to change your behavior. on the chinese piece, the conversation that led to the presidential summit in september of 2015, where the two presidents, xi jinping and president obama, came out and said we agree we will not use cyber as a tool of a nationstate to gain economic advantage. that had been one of our biggest issues with our chinese counterparts. you acknowledge nationstates will use ciber as a tool to gain insight and knowledge about what is going on in the world aroun